Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 381417 (CVE-2011-3357)

Summary: <www-apps/mantisbt-1.2.7-r1 multiple vulnerabilities (CVE-2011-3357)
Product: Gentoo Security Reporter: David Hicks <david>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: david, pva, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mantisbt.org/bugs/view.php?id=13281
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description David Hicks 2011-09-01 11:53:46 UTC
High-Tech Bridge SA Security Research Lab has reported numerous vulnerabilities against www-apps/mantisbt-1.2.7 (see https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html)

Additionally, MantisBT developer Paul Richards has performed an independent audit and discovered a number of additional MantisBT vulnerabilities.

The most critical issue thus far (local file inclusion/path traversal) has been fixed. The following patch against the 1.2.7 release of MantisBT is available: https://github.com/mantisbt/mantisbt/commit/a7eacc181185eff1dd7bd8ceaa34a91cf86cc298

We will have a number of other patches pushed ASAP and a release bundled shortly. It may be worth applying the LFI patch in the meantime due to the severe consequences it may pose to Apache users. nginx users should be unaffected due to the more sane path handling within nginx (see the commit message mentioned above for more detail).

We'll work with HTB to release a formal advisory once all the patches are pushed. CVE requests will be made on the oss-sec mailing list. 

I'll keep this bug report updated as we progress with a mantisbt-1.2.8 release.

As a side note, thanks for the quick turnaround on the recent www-apps/mantisbt-1.2.7 "security fix" release. We didn't know of these newly discovered problems until today so apologies for the extra workload.

Reproducible: Always
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-09-01 19:31:35 UTC
Thank you David. I've added this patch in mantisbt-1.2.7-r1. Arch teams, please, consider stabilization.
Comment 2 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-01 21:18:05 UTC
amd64:pass
Comment 3 Tony Vroon gentoo-dev 2011-09-02 09:05:20 UTC
+  02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani in security bug #381417 filed by David Hicks.
Comment 4 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-04 03:37:39 UTC
x86 stable
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 03:46:18 UTC
Thanks, folks. GLSA Vote: no.
Comment 6 David Hicks 2011-09-04 06:10:25 UTC
Hi Peter & others,

Thanks for the quick response.

All vulnerabilities have now been fixed and the 1.2.8 release has been tagged in the repository, ready for packaging and release. The original patch I produced has been replaced with a more comprehensive patch for the 1.2.8 release.

A CVE request has been sent to the oss-security mailing list.



Note the potential severity of the LFI vulnerability from my follow-up post to oss-security:

-----------
MantisBT allows users to upload attachments to bug reports. These
attachments are commonly stored on the disk in an 'attachments'
directory that should be stored outside the web root (but are still
accessible to MantisBT for retrieval).

This LFI vulnerbility therefore allows arbitrary remote code execution
on a target server (as the web user ID). This level of access could be
used to connect to the MantisBT database and access files and
configuration of other web applications operating under the same uid/gid
as the MantisBT installation.

For example, this LFI vulnerability may allow an attacker to call:
require_once('../var/www/example.com/data/mantisbt/attachments/123456-malicious_attachment.php')
-----------
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 14:19:25 UTC
(In reply to comment #6)
> Hi Peter & others,
> 
> Thanks for the quick response.
> 

Thank you, David. I've opened a new bug, 381785, to track the fixes for the other two issues.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:08:33 UTC
Added to pending GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:42:55 UTC
This issue was resolved and addressed in
 GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).